Is a Windows 2003 Terminal Service session secure without a VPN connection?

Posted on 2007-11-23
Last Modified: 2013-11-21
I need to connect two small offices over basic cable broadband connections.  The staff in office A will have a Windows 2003 Server w/ Terminal Services to host a series of applications and files.  The staff in office B will log in via terminal services to their accounts and use the applications/files.  

Is the terminal service connection (from login to logout) secure so that a VPN connection is not needed?  Are there any printing gotchas/concerns over terminal services which I should prepare for?

Other details:
- offices will merge to one single office space in one year (this office to office connection is temporary)
- at times staff may log into terminal service session from home
- both offices currently only have basic cable broadband internet access
- all printing will be local to the office where the user is located (users in office B will need to be able to printers local to the office B network; users in office B will not need to print to office A printers)
- offices are not in line of sight and are 10 miles apart
Question by:dandacci
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 31

Accepted Solution

Cláudio Rodrigues earned 500 total points
ID: 20341758
This is a question that people will debate all over and have different opinions on the answer. Here you have my own (and I know some here will probably bash me...).
RDP by itself is encrypted. The thing is, due to the way Microsoft implemented the encryption keys, it is subject to man in the middle attacks.
The thing is, all these years working with TS I am still to see one single customer that had a TS hacked when exposed to the internet. Not a single one.
So, do I think a VPN is needed? No.
You can implement, if you are paranoid, SecureRDP on the TS (freeware from, that we developed before they acquired my company, Terminal-Services.NET) and customize the RDP client to have your own, unique version number and filter by that. Check this article I wrote:

And you can always install RecordTS on the terminal server (another software we wrote, now under my new company, and record everything that happens at the RDP level (in case you want to record someone trying to hack your TS).

For printing, a couple things to keep in mind:
1. Try to get a printer that is supported by native, out-of-the-box Windows Server 2003 drivers (meaning the drivers shipped with the OS, not requiring anything to be installed). These will work for sure.
2. Avoid host based printers (the ones that use the PC to do all the work normally done by the printer hardware).
3. Avoid as much as you can loading ANY printer driver on the TS UNLESS you have no other option.
4. Consider a product like UniPrint, SimplifyPrint or ThinPrint. They sure cost money BUT will save you a LOT of headaches with printing on TS.

And to wrap this up, TS is pretty good with bandwidth utilization BUT make sure your links are not heavily used for things like web browsing, email etc otherwise RDP will have to compete with everything else and performance will suffer.


Claudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services


Author Closing Comment

ID: 31410733
Thank you Claudio (tsmvp).  Your answer was clear and very helpful.  The printing might get tedious.  I will follow up on your suggestions.  Thank you again!!!

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question